Add Cluster-Autoscaling IAM

Adds the ability and flag for requesting the necessary policy for the cluster-autoscaler application. This will be revisited once the add-on work is done. Issue #170
eksctl-io · Oct 17, 2018 · f216ac9 · f216ac9
1 parent e229797
commit f216ac9
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 2 deletions.
diff --git a/cmd/eksctl/create.go b/cmd/eksctl/create.go
@@ -98,6 +98,7 @@ func createClusterCmd() *cobra.Command {
 	fs.DurationVar(&cfg.WaitTimeout, "timeout", api.DefaultWaitTimeout, "max wait time in any polling operations")
 
 	fs.BoolVar(&cfg.Addons.WithIAM.PolicyAmazonEC2ContainerRegistryPowerUser, "full-ecr-access", false, "enable full access to ECR")
+	fs.BoolVar(&cfg.Addons.WithIAM.PolicyAutoScaling, "asg-access", false, "enable iam policy dependency for cluster-autoscaler")
 	fs.BoolVar(&cfg.Addons.Storage, "storage-class", true, "if true (default) then a default StorageClass of type gp2 provisioned by EBS will be created")
 
 	fs.StringVar(&cfg.NodeAMI, "node-ami", ami.ResolverStatic, "Advanced use cases only. If 'static' is supplied (default) then eksctl will use static AMIs; if 'auto' is supplied then eksctl will automatically set the AMI based on region/instance type; if any other value is supplied it will override the AMI to use for the nodes. Use with extreme care.")

diff --git a/pkg/cfn/builder/api_test.go b/pkg/cfn/builder/api_test.go
@@ -60,7 +60,14 @@ type Template struct {
 
 				PropagateAtLaunch string
 			}
-			UserData string
+			UserData       string
+			PolicyDocument struct {
+				Statement []struct {
+					Action   []string
+					Effect   string
+					Resource interface{}
+				}
+			}
 		}
 	}
 }
@@ -190,7 +197,7 @@ var _ = Describe("CloudFormation template builder API", func() {
 			Expect(err).ShouldNot(HaveOccurred())
 		})
 
-		It("NodeGroup should have correct tags", func() {
+		It("should have correct tags", func() {
 			Expect(len(obj.Resources)).ToNot(Equal(0))
 			Expect(len(obj.Resources["NodeGroup"].Properties.Tags)).To(Equal(2))
 			Expect(obj.Resources["NodeGroup"].Properties.Tags[0].Key).To(Equal("Name"))
@@ -202,6 +209,47 @@ var _ = Describe("CloudFormation template builder API", func() {
 		})
 	})
 
+	Describe("NodeGroupAutoScaling", func() {
+		rs := NewNodeGroupResourceSet(&api.ClusterConfig{
+			ClusterName:       clusterName,
+			AvailabilityZones: testAZs,
+			NodeType:          "t2.medium",
+			Region:            "us-west-2",
+			Addons: api.ClusterAddons{
+				WithIAM: api.AddonIAM{
+					PolicyAutoScaling: true,
+				},
+			},
+		}, "eksctl-test-123-cluster", 0)
+		rs.AddAllResources()
+
+		template, err := rs.RenderJSON()
+		It("should serialise JSON without errors", func() {
+			Expect(err).ShouldNot(HaveOccurred())
+		})
+		obj := Template{}
+		It("should parse JSON withon errors", func() {
+			err := json.Unmarshal(template, &obj)
+			Expect(err).ShouldNot(HaveOccurred())
+		})
+
+		It("should have correct policies", func() {
+			Expect(len(obj.Resources)).ToNot(Equal(0))
+			Expect(obj.Resources["PolicyAutoScaling"]).ToNot(BeNil())
+			Expect(len(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement)).To(Equal(1))
+			Expect(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement[0].Effect).To(Equal("Allow"))
+			Expect(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement[0].Resource).To(Equal("*"))
+			Expect(obj.Resources["PolicyAutoScaling"].Properties.PolicyDocument.Statement[0].Action).To(Equal([]string{
+				"autoscaling:DescribeAutoScalingGroups",
+				"autoscaling:DescribeAutoScalingInstances",
+				"autoscaling:DescribeLaunchConfigurations",
+				"autoscaling:DescribeTags",
+				"autoscaling:SetDesiredCapacity",
+				"autoscaling:TerminateInstanceInAutoScalingGroup",
+			}))
+		})
+	})
+
 	Describe("UserData", func() {
 
 		var c *cloudconfig.CloudConfig

diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
@@ -132,5 +132,18 @@ func (n *NodeGroupResourceSet) addResourcesForIAM() {
 		},
 	)
 
+	if n.spec.Addons.WithIAM.PolicyAutoScaling {
+		n.rs.attachAllowPolicy("PolicyAutoScaling", refIR, "*",
+			[]string{
+				"autoscaling:DescribeAutoScalingGroups",
+				"autoscaling:DescribeAutoScalingInstances",
+				"autoscaling:DescribeLaunchConfigurations",
+				"autoscaling:DescribeTags",
+				"autoscaling:SetDesiredCapacity",
+				"autoscaling:TerminateInstanceInAutoScalingGroup",
+			},
+		)
+	}
+
 	n.rs.newOutputFromAtt(cfnOutputNodeInstanceRoleARN, "NodeInstanceRole.Arn", true)
 }
diff --git a/pkg/eks/api/api.go b/pkg/eks/api/api.go
@@ -89,4 +89,5 @@ type ClusterAddons struct {
 // AddonIAM provides an addon for the AWS IAM integration
 type AddonIAM struct {
 	PolicyAmazonEC2ContainerRegistryPowerUser bool
+	PolicyAutoScaling                         bool
 }